Embed Size (px)
Citation preview
Cloud Usage: Risks and
Opportunities Report September 2014
© 2014 Cloud Security Alliance - All Rights Reserved. 2
CLOUD USAGE RISKS & OPPORTUNITIES REPORT September 2014
© 2014 Cloud Security Alliance – All Rights Reserved
All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security
Alliance “Cloud Usage: Risks & Opportunities” at https://cloudsecurityalliance.org/research/surveys/, subject to the
following: (a) the Document may be used solely for your personal, informational, non-commercial use; (b) the Document
may not be modified or altered in any way; (c) the Document may not be redistributed; and (d) the trademark, copyright
or other notices may not be removed. You may quote portions of the Document as permitted by the Fair Use provisions
of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance “Cloud Usage:
Risks & Opportunities” (2014).
© 2014 Cloud Security Alliance - All Rights Reserved. 3
CLOUD USAGE RISKS & OPPORTUNITIES REPORT September 2014
Acknowledgements
Managing Editors / Researchers
Luciano (J.R.) Santos, Global Research Director, CSA
John Yeoh, Senior Research Analyst, CSA
Design/Editing Kendall Cline Scoboria, Graphic Designer, Shea Media
Evan Scoboria, Co-Founder, Shea Media; Webmaster, CSA
Sponsors
Netskope, the leader in safe cloud app enablement
Okta, an enterprise-grade identity management service
© 2014 Cloud Security Alliance - All Rights Reserved. 4
CLOUD USAGE RISKS & OPPORTUNITIES REPORT September 2014
Table of Contents
Acknowledgements.................................................................................................................................................3
Table of Contents....................................................................................................................................................4
Introduction ...........................................................................................................................................................5
Usage .....................................................................................................................................................................6
Risks.......................................................................................................................................................................9
Response Comment Sampling................................................................................................................................ 11
Summary.............................................................................................................................................................. 12
References ........................................................................................................................................................... 12
© 2014 Cloud Security Alliance - All Rights Reserved. 5
CLOUD USAGE RISKS & OPPORTUNITIES REPORT September 2014
Introduction
This survey was circulated to over 165 IT and security professionals in the U.S. and around the globe representing a
variety of industry verticals and enterprise sizes. The goal was to understand their perception of how their enterprises
are using cloud apps, what kind of data are moving to and through those apps, and what that means in terms of risks.
Beyond raising awareness around cloud service risk, the findings of this survey are intended to provide usage
intelligence that helps IT, security, and business decision-makers take action in their organizations – from consolidating
and standardizing on the most secure and enterprise-ready cloud services, to knowing what policies will have the most
impact, to understanding where to focus when educating users.
Survey respondents were categorized into the following:
© 2014 Cloud Security Alliance - All Rights Reserved. 6
CLOUD USAGE RISKS & OPPORTUNITIES REPORT September 2014
Usage
How many cloud apps do you believe are in
use for business purposes in your
organization?
More than half (54 percent) of the respondents believe that they
have ten or fewer cloud apps running in their organization, with 87.1
percent indicating 50 or fewer and a weighted average of 23 apps per
organization. These estimates are far lower than those reported by
vendors who observe more than 500 cloud apps, on average, per
enterprise.
Approximately what percentage of the total
applications in your organization are cloud-
based?
59.3 percent of respondents believe that a fourth or fewer of their
total apps are in the cloud. This differs from recent studies, such as
Data Breach: The Cloud Multiplier Effect, a survey carried out by the
Ponemon Institute, in which respondents reported that 45 percent of
their software applications are in the cloud.
To how many cloud apps do you believe your
users are uploading content?
Over 60 percent of respondents believe that content is uploaded to
10 or fewer cloud apps.
© 2014 Cloud Security Alliance - All Rights Reserved. 7
CLOUD USAGE RISKS & OPPORTUNITIES REPORT September 2014
Approximately what percentage of content
that is uploaded to cloud apps do you believe
is sensitive?
74.8 percent of respondents say their users upload content to 20 apps
or fewer, yet nearly half (49.1 percent) report that over one-fourth of
that content is sensitive.
Approximately what percentage of sensitive
content that is uploaded to cloud apps do you
believe has been shared with unauthorized
individuals or individuals outside of your
organization?
Nearly half (48.1 percent) of respondents say that less than 5 percent
of their sensitive content in the cloud has been shared with
unauthorized individuals or individuals outside of the organization.
How many cloud apps do you believe are most
used on employee BYOD mobile devices and/or
unsecured devices?
50 percent of respondents say that their users have 5 cloud apps or
fewer on employee BYOD devices.
© 2014 Cloud Security Alliance - All Rights Reserved. 8
CLOUD USAGE RISKS & OPPORTUNITIES REPORT September 2014
Well over half of the respondents reported having a policy addressing bring-your-own devices, and over 80 percent
believe it is at least somewhat followed.
Which cloud app categories do you
believe have the highest number of
apps?
Respondents reporting believing that cloud storage is
the most plentiful category, with webmail and cloud
backup in second and third place.
More than half (52.2 percent) of respondents believe
that less than a fourth of their cloud apps are deployed
departmentally (vs. company-wide). This runs counter
to data that show that approximately 90 percent of
cloud apps are unknown to IT.
© 2014 Cloud Security Alliance - All Rights Reserved. 9
CLOUD USAGE RISKS & OPPORTUNITIES REPORT September 2014
Risks
Which cloud app categories do you
believe are the most risky based on
your organization's definition of risk?
Most people’s perception is that cloud storage is the
riskiest category, followed by finance/accounting and HR,
respectively.
The vast majority of
respondents report
having policies and
procedures in place to
protect data and ensure
compliance, and most
report that those
policies are well-
enforced.
© 2014 Cloud Security Alliance - All Rights Reserved. 10
CLOUD USAGE RISKS & OPPORTUNITIES REPORT September 2014
Have you experienced a data breach
involving a cloud app in the last year?
Very few respondents, or nearly 4 percent, report
experiencing a data breach involving their cloud apps in the
past year.
Nearly 80 percent of policy enforcement in cloud
apps is in cloud storage and cloud backup,
indicating serious concerns about data leakage and
protection.
Non-public financials, other sensitive data, customer
records, employee records, and other non-sensitive data
were compromised in these breaches. 25 percent of the responses were unknown, and 25
percent of the responses had no corresponding
result. “Other” included loss of confidentiality.
© 2014 Cloud Security Alliance - All Rights Reserved. 11
CLOUD USAGE RISKS & OPPORTUNITIES REPORT September 2014
What percentage of your cloud apps do
you believe are integrated with your
corporate directory to authenticate
users?
43.7 percent show less than 5 percent of apps are integrated
with their corporate directory. This displays a very low
monitoring of apps and calls for a need of better corporate
tools.
Over half of respondents reported that their organizations are developing custom cloud apps.
Response Comment Sampling
The following comments were collected from survey respondents:
“Cloud Security is most important. Respective procedures and policies have to be enforced by human and software.”
“Data and privacy are the important aspects to securing data in cloud.”
“How do we know what employee users are doing in the cloud and what authority they have to install applications?”
“There is a decrease of reputation when considering cloud solutions and not being able to state the risks and the
solutions to reduce the risks.”
© 2014 Cloud Security Alliance - All Rights Reserved. 12
CLOUD USAGE RISKS & OPPORTUNITIES REPORT September 2014
Summary
Users believe that few cloud apps are used by employees and BYOD devices, while other studies noted show that
hundreds of cloud apps are in use within each enterprise today. This tells us that cloud application discovery tools and
analytical tools on cloud app policy use and restrictions are crucial in the workplace, especially when it comes to
sensitive data being used by these cloud applications. With sensitive data being uploaded and shared by these apps
with authorized and unauthorized users, policy enforcement becomes a major role in protecting your data.
References
Asymco’s Estimate, http://www.asymco.com/2013/05/31/100-billion-app-downloads/
CASB Report, http://www.casb.org/about-casb/annual-report
Data Breach, http://www.netskope.com/reports-infographics/ponemon-2014-data-breach-cloud-multiplier-effect/
Netskope Cloud Report, http://www.netskope.com/reports/netskope-cloud-report-2014-april/
Ponemon Research, http://www.ponemon.org/blog/can-a-data-breach-in-the-cloud-result-in-a-larger-and-more-costly-
incident
